Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6402	April 14, 2023, 9:23 a.m.	April 14, 2023, 9:26 a.m.

Archive PDFViewer.exe @ PDFViewer.zip

Size	100.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`fca9b3315dc5611a8a3d6a2abb838e30`
SHA1	`6a3433fc51fd26617937b8ea2127bd573c822165`
SHA256	`2215d3bcd4b8f60494491762b13aee1a5d011fe81a1742ab66aedf7616b9f77d`
SHA512	`9236eef77d7b5cc4ba3de0e79f6b273417ddc85bc37efb4c724c7d51013fcdb24dfd71a91e76129b342a471d5f133f1fccc719b5290fe26af8cc6b6a5315ab53`
CRC32	`F6583D2C`
ssdeep	`24576:45+q6M4O19AKvoesqySB+SfPecEVRwMGiO3:nJMTXAEoesqySpfiq`
PDB Path	TheJindoSoft.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

PDFViewer.exe "C:\Users\test22\AppData\Local\Temp\PDFViewer.exe"
2144

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 14, 2023, 9:24 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 14, 2023, 9:24 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 14, 2023, 9:23 a.m.			0	0
IsDebuggerPresent April 14, 2023, 9:23 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

TheJindoSoft.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 14, 2023, 9:23 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 14, 2023, 9:24 a.m.	stacktrace: 0x7fe9354d718 0x7fe93544686 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bcf713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bcf242 CoUninitializeEE+0x4f7a7 GetMetaDataInternalInterface-0x27f75 clr+0x5294b @ 0x7fef2bd294b CoUninitializeEE+0x4f782 GetMetaDataInternalInterface-0x27f9a clr+0x52926 @ 0x7fef2bd2926 CoUninitializeEE+0x4fece GetMetaDataInternalInterface-0x2784e clr+0x53072 @ 0x7fef2bd3072 CoUninitializeEE+0x4fdae GetMetaDataInternalInterface-0x2796e clr+0x52f52 @ 0x7fef2bd2f52 CoUninitializeEE+0x4f67f GetMetaDataInternalInterface-0x2809d clr+0x52823 @ 0x7fef2bd2823 NGenCreateNGenWorker+0x4875 _AxlPublicKeyBlobToPublicKeyToken-0x42997 clr+0x2142d9 @ 0x7fef2d942d9 getJit-0xc697 clrjit+0x94b49 @ 0x7fef1474b49 getJit-0xc67a clrjit+0x94b66 @ 0x7fef1474b66 getJit-0x4d446 clrjit+0x53d9a @ 0x7fef1433d9a getJit-0x4d52d clrjit+0x53cb3 @ 0x7fef1433cb3 getJit-0x86719 clrjit+0x1aac7 @ 0x7fef13faac7 getJit-0x81eca clrjit+0x1f316 @ 0x7fef13ff316 getJit-0x8057b clrjit+0x20c65 @ 0x7fef1400c65 getJit-0x805da clrjit+0x20c06 @ 0x7fef1400c06 getJit-0x9b4b9 clrjit+0x5d27 @ 0x7fef13e5d27 getJit-0x89eb5 clrjit+0x1732b @ 0x7fef13f732b PreBindAssemblyEx+0x1d9fa CreateHistoryReader-0x5526a clr+0x1207ee @ 0x7fef2ca07ee PreBindAssemblyEx+0x1d94b CreateHistoryReader-0x55319 clr+0x12073f @ 0x7fef2ca073f PreBindAssemblyEx+0x1d83a CreateHistoryReader-0x5542a clr+0x12062e @ 0x7fef2ca062e PreBindAssemblyEx+0x1d718 CreateHistoryReader-0x5554c clr+0x12050c @ 0x7fef2ca050c StrongNameTokenFromPublicKey+0x893a SetRuntimeInfo-0x33006 clr+0x9e88a @ 0x7fef2c1e88a CoUninitializeEE+0x4d7cd GetMetaDataInternalInterface-0x29f4f clr+0x50971 @ 0x7fef2bd0971 CoUninitializeEE+0x4cd27 GetMetaDataInternalInterface-0x2a9f5 clr+0x4fecb @ 0x7fef2bcfecb DllRegisterServerInternal-0xcc6 clr+0x24da @ 0x7fef2b824da CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bcf713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bcf242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef2c1b042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef2c1ad83 mscorlib+0x563c95 @ 0x7fef1a83c95 mscorlib+0x486001 @ 0x7fef19a6001 0x7fe93521010 0x7fe93520ccb mscorlib+0x53407e @ 0x7fef1a5407e mscorlib+0x4ef8a5 @ 0x7fef1a0f8a5 mscorlib+0x4ef609 @ 0x7fef1a0f609 mscorlib+0x533e55 @ 0x7fef1a53e55 mscorlib+0x533c75 @ 0x7fef1a53c75 mscorlib+0x49b82a @ 0x7fef19bb82a CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bcf713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bcf242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef2bcf30b DestroyAssemblyConfigCookie+0x2123d PreBindAssembly-0x613 clr+0x1027c1 @ 0x7fef2c827c1 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2c76d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2c76d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2c76c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2c76dbb DestroyAssemblyConfigCookie+0x211a4 PreBindAssembly-0x6ac clr+0x102728 @ 0x7fef2c82728 DestroyAssemblyConfigCookie+0x1834b PreBindAssembly-0x9505 clr+0xf98cf @ 0x7fef2c798cf DestroyAssemblyConfigCookie+0x1824f PreBindAssembly-0x9601 clr+0xf97d3 @ 0x7fef2c797d3 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef2d066ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 8b 00 48 8b 40 40 4c 8b 9d 50 01 00 00 48 8b exception.instruction: mov rax, qword ptr [rax] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe9354d718 registers.r14: 0 registers.r15: 0 registers.rcx: 8787503087645 registers.rsi: 0 registers.r10: 8789975305688 registers.rbx: 0 registers.rsp: 472774800 registers.r11: 472756720 registers.r8: 32 registers.r9: 8791558582712 registers.rdx: 8791552887176 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 14, 2023, 9:24 a.m.

stacktrace:

0x7fe9354d718
0x7fe93544686
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bcf713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bcf242
CoUninitializeEE+0x4f7a7 GetMetaDataInternalInterface-0x27f75 clr+0x5294b @ 0x7fef2bd294b
CoUninitializeEE+0x4f782 GetMetaDataInternalInterface-0x27f9a clr+0x52926 @ 0x7fef2bd2926
CoUninitializeEE+0x4fece GetMetaDataInternalInterface-0x2784e clr+0x53072 @ 0x7fef2bd3072
CoUninitializeEE+0x4fdae GetMetaDataInternalInterface-0x2796e clr+0x52f52 @ 0x7fef2bd2f52
CoUninitializeEE+0x4f67f GetMetaDataInternalInterface-0x2809d clr+0x52823 @ 0x7fef2bd2823
NGenCreateNGenWorker+0x4875 _AxlPublicKeyBlobToPublicKeyToken-0x42997 clr+0x2142d9 @ 0x7fef2d942d9
getJit-0xc697 clrjit+0x94b49 @ 0x7fef1474b49
getJit-0xc67a clrjit+0x94b66 @ 0x7fef1474b66
getJit-0x4d446 clrjit+0x53d9a @ 0x7fef1433d9a
getJit-0x4d52d clrjit+0x53cb3 @ 0x7fef1433cb3
getJit-0x86719 clrjit+0x1aac7 @ 0x7fef13faac7
getJit-0x81eca clrjit+0x1f316 @ 0x7fef13ff316
getJit-0x8057b clrjit+0x20c65 @ 0x7fef1400c65
getJit-0x805da clrjit+0x20c06 @ 0x7fef1400c06
getJit-0x9b4b9 clrjit+0x5d27 @ 0x7fef13e5d27
getJit-0x89eb5 clrjit+0x1732b @ 0x7fef13f732b
PreBindAssemblyEx+0x1d9fa CreateHistoryReader-0x5526a clr+0x1207ee @ 0x7fef2ca07ee
PreBindAssemblyEx+0x1d94b CreateHistoryReader-0x55319 clr+0x12073f @ 0x7fef2ca073f
PreBindAssemblyEx+0x1d83a CreateHistoryReader-0x5542a clr+0x12062e @ 0x7fef2ca062e
PreBindAssemblyEx+0x1d718 CreateHistoryReader-0x5554c clr+0x12050c @ 0x7fef2ca050c
StrongNameTokenFromPublicKey+0x893a SetRuntimeInfo-0x33006 clr+0x9e88a @ 0x7fef2c1e88a
CoUninitializeEE+0x4d7cd GetMetaDataInternalInterface-0x29f4f clr+0x50971 @ 0x7fef2bd0971
CoUninitializeEE+0x4cd27 GetMetaDataInternalInterface-0x2a9f5 clr+0x4fecb @ 0x7fef2bcfecb
DllRegisterServerInternal-0xcc6 clr+0x24da @ 0x7fef2b824da
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bcf713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bcf242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef2c1b042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef2c1ad83
mscorlib+0x563c95 @ 0x7fef1a83c95
mscorlib+0x486001 @ 0x7fef19a6001
0x7fe93521010
0x7fe93520ccb
mscorlib+0x53407e @ 0x7fef1a5407e
mscorlib+0x4ef8a5 @ 0x7fef1a0f8a5
mscorlib+0x4ef609 @ 0x7fef1a0f609
mscorlib+0x533e55 @ 0x7fef1a53e55
mscorlib+0x533c75 @ 0x7fef1a53c75
mscorlib+0x49b82a @ 0x7fef19bb82a
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bcf713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bcf242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef2bcf30b
DestroyAssemblyConfigCookie+0x2123d PreBindAssembly-0x613 clr+0x1027c1 @ 0x7fef2c827c1
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2c76d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2c76d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2c76c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2c76dbb
DestroyAssemblyConfigCookie+0x211a4 PreBindAssembly-0x6ac clr+0x102728 @ 0x7fef2c82728
DestroyAssemblyConfigCookie+0x1834b PreBindAssembly-0x9505 clr+0xf98cf @ 0x7fef2c798cf
DestroyAssemblyConfigCookie+0x1824f PreBindAssembly-0x9601 clr+0xf97d3 @ 0x7fef2c797d3
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef2d066ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

exception.instruction_r: 48 8b 00 48 8b 40 40 4c 8b 9d 50 01 00 00 48 8b
exception.instruction: mov rax, qword ptr [rax]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe9354d718
registers.r14: 0
registers.r15: 0
registers.rcx: 8787503087645
registers.rsi: 0
registers.r10: 8789975305688
registers.rbx: 0
registers.rsp: 472774800
registers.r11: 472756720
registers.r8: 32
registers.r9: 8791558582712
registers.rdx: 8791552887176
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 206 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b81000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef321b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b84000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b84000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b84000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b84000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9340c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9341b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9340a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9344c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9341d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9340b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93561000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93563000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 14, 2023, 9:23 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Archive PDFViewer.exe @ PDFViewer.zip

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All